I have a specific JavaScript template that makes a POST request to another EE template file that executes PHP and returns some result in AJAX.
This is safe by nature and does not require the form token check. But the JS will default to 403 denied error because Expression Engine thinks it’s trying to make a request to a POST form, which is not the case here.
The reason I want this in EE is that I need to pass some EE channel variables to the PHP code.
Is there a way I can tell EE to skip this POST check request? Maybe in the JS file or in the PHP template file?
Searching the docs I see there is csrf_exempt. Any clues how to use this on my PHP code so EE will not check for a token request?
Exactly, I don’t want to disable this globally. Just for this specific POST request.
I did read that documentation link you provided, but I’m not sure what they mean with “This is done by setting the csrf_exempt column in the actions table to 1 for that action.”
What column? There is no specific code example on how this works or what has to be passed on the request. This is the reason I posted this, I found that link as well, but there is not enough information in the docs on how to use this. Searching the web gave me no results either, at least not for Expression Engine.
By way of background, I do want to say that we don’t recommend disabling the CSRF token.
That being said, in the exp_actions table there is a column called “csrf_exempt” This is how you can remove the need for the CSRF token check on a given ExpressionEngine Action. An action can be defined on install or update of an add-on.
Thanks,
-Tom Jaeger
Packet Tide owns and develops ExpressionEngine. © Packet Tide, All Rights Reserved.